Macy’s & Bloomingdale’s Data Breach: What You Need to Know

If you've been shopping online at Macy's or Bloomingdale's recently, beware: The websites of the popular American department stores are the victims of a data breach—one that lasted for nearly two months this spring.

Here's What Happened

Macy's and Bloomingdale's (both owned by parent company Macy's, Inc.) recently sent letters to some of their online customers confirming the retailer had discovered a cybersecurity threat to its systems on June 11, 2018.

According to the letters, first reported by the Detroit Free Press, "an unauthorized third party, from approximately April 26, 2018, through June 12, 2018, used valid customer usernames and passwords to log in to customer online profiles."

Hackers were able to access users' first and last names, addresses, phone numbers, email addresses, birth dates, and debit and credit card numbers with expiration dates, Macy's said. The company added that Social Security numbers and CVV security numbers on the back of cards were not exposed.

The company has blocked the affected user profiles until passwords are changed by the customers, Macy's said.

"We are aware of a data security incident involving a small number of our customers at Macys.com and Bloomingdales.com," the company said in a statement sent to media outlets.

"We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures. Macy's, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services."

What to Do If You're a Macy's or Bloomingdale's Customer

Users affected by the data breach should have received the customer letter notification about the breach. You should have also received an email indicating that your profile is blocked until you update your password.

If you didn't get the email, Macy's suggests checking your spam folder for an email with the subject line "Important information about your Macy's online profile."

1. Change Your Passwords

If you did get a notification that your account was affected, change your Macys.com or Bloomingdales.com password immediately. If your account was not affected, you may want to update your password anyway. While you're at it, you may want to change the passwords on your credit and debit accounts, as well.

2. Update Your Debit and Credit Card Numbers

Make note of the credit or debit cards you used in your Macy's or Bloomingdale's accounts and call the issuers for new account numbers. Simply explain that you want a new account number and PIN because you're afraid your data has been compromised; they will issue you new cards at no cost. (You won't want to delay—this information can be sold and used quickly on the dark web.)

3. Monitor Your Account Activity

You'll want to keep an eye on your accounts for suspicious activity, as well. Don't just blindly pay off your bills each month—be sure to eyeball your statements to make sure there aren't any unauthorized charges. You can also set up text and email alerts on your credit and debit accounts notifying you when they are used, which will update you in real time if there's an unauthorized purchase.

Be sure to report fraudulent charges immediately. You're not liable for fraudulent credit card transactions, but waiting too long to report a fraudulent debit card charge could leave you on the hook for up to $500.

4. Keep an Eye on Your Credit

Data breaches are a fact of life in an increasingly digital world, which is why it's smart to remain vigilant about your identity. The best thing you can do is to monitor your credit reports for new inquiries or account openings that may be the handiwork of identity thieves.

If you're concerned about fraudulent activity, consider filing a free initial security alert that remains active on your account for 90 days at the Experian fraud center. (You only need to file it with one bureau—they are legally required to share such alerts with their counterparts, so you don't need to file with all three.)

This fraud alert will notify any lenders pulling your credit report to take extra steps to verify your identity—a measure that can frustrate and dissuade identity thieves. However, fraud alerts do not block access to your credit reports altogether. For the highest level of protection, you might want to freeze your credit reports, a measure that prevents lenders from issuing new credit in your name altogether.

Credit freezes currently cost about $10, though they can go up to $20 depending on the state where you reside. It also costs a small fee to "unfreeze" your credit if you need to apply for it in your name, as well. However, Congress recently passed legislation making credit freezes free, though that change does not take effect until this fall.

Editorial Disclaimer: Opinions expressed here are author's alone, not those of any bank, credit card issuer, or other company, and have not been reviewed, approved or otherwise endorsed by any of these entities. All information, including rates and fees, are accurate as of the date of publication.

You're signed up!

Our system is undergoing maintenance and will be available again soon.

Ad Targeting Policy

Effective Date: December 28, 2015

This Ad Targeting Policy supplements the Privacy Policy by describing how we use and share data for online targeted marketing purposes.

ConsumerInfo.com, Inc., an Experian® Company ("CIC"), which operates websites such as FreeCreditReport.com, ProtectMyId.com, and other websites we may add from time to time, may share information about you and other customers collectively, but not specifically identifiable to you with our parent company, our affiliated companies, and with third parties. This information includes:

Your inferred and expressed interests, including transactional information and product interests we derive from your visits to certain websites we operate.

This information that we share includes information that we have collected, together with data from Experian Marketing Services, one of the members of the Experian family of companies.

The recipients of this information use it to develop and deliver targeted advertising on our family of websites and on the websites of third parties. The information is used only for marketing purposes. It is not used to make targeted offers that are priced differently based on estimated purchase ability.

The targeted advertising resulting from this information sharing is related to common product and service categories, such as travel and leisure, automotive, retail, financial services, electronics, pharmaceutical and consumer products, publication subscriptions and similar categories that you see advertised routinely. These advertisements are not based on data relating to adult content, individual or aggregate health information or records, precise geographic location, information derived from your individual credit report (with the exception of Credit Based Offers that you authorize us to present to you as specified in the applicable Terms and Conditions agreed to on certain CIC websites), or information relating to your financial accounts. We use cookies to facilitate the sharing of this information while you are online. Information in these cookies is updated from time to time to ensure that it is up to date and relevant. In order to appropriately safeguard the information in them, as described above, these cookies are encrypted. At this time we do not respond to “do not track” browser signals.

If you prefer that we do not share this information, and would not like to receive targeted advertising as described above, please see our Opt Out page. Note that if you opt out, you will still receive advertising. Also, if you opt out and later delete your cookies, use a different browser, or buy a new computer, you will need to renew your opt out choice. If you would like to stop receiving Credit Based Offers as part of your enrollment in certain CIC products and services, please call Customer Care at 1-866-617-1894

The information contained in Ask Experian is for educational purposes only and is not legal advice. You should consult your own attorney or seek specific advice from a legal professional regarding your particular situation. Please understand that Experian policies change over time. Posts reflect Experian policy at the time of writing. While maintained for your information, archived posts may not reflect current Experian policy. The Ask Experian team cannot respond to each question individually. However, if your question is of interest to a wide audience of consumers, the Experian team will include it in a future post.